Open in app

Sign in

Write

Sign in

Network Pivoting Using SSH & Return Reverse Shell From Internal Network Machine

Bryan Leong (NobodyAtall)
5 min readMay 22, 2021

--

Perform pivoting into the internal network machine through SSH port forwarding to gain access to the internal network web server. Then, return a reverse shell from the internal network web server to our machine via SSH remote port forwarding.

Topology of Network Pivoting

Explanation on the Network Topology Scenario

In the network topology above, we can see that there’s 3 machine:

  • Kali Linux: This will be our machine as we will be the attacker in this scenario which is running in the 192.168.0.0/24 subnet.
Kali Linux ifconfig properties
  • Windows 7: The machine will have a SSH service open on port 22 & two network interface connected (the first network interface is connecting to the 192.168.0.0/24 subnet, another network interface will be connecting to the 192.168.112.0/24 subnet)
Windows 7 ipconfig properties
  • Metasploitable: This machine will have a web server hosting on the port 80.
Metasploitable(Web Server) ifconfig properties

Based on the network topology, we can see that the attacker can only access to the Windows 7 machine SSH service & unable to access to the internal web server that hosted by Metasploitable due to the different subnet they were in.

Unable to connect to internal network web service

But, if the Kali Linux user wants to gain access to the internal network web server that only Windows 7 user can access to, the attacker can utilize the Windows 7 machine as a pivoting point to route the traffic in/out from the internal network to the attacker.

Routing Internal Network Traffic with Dynamic Port Forwarding via SSH

To pivot into the internal network traffic first we need to have access to the Windows 7 machine.

Let’s say in our current scenario, we managed to steal the SSH credential to gain access to the Windows 7 machine via SSH. Now we wants to access into the internal network web server that hosted by Metasploitable.

In the Kali Linux machine, we can do a dynamic port forwarding with ‘ssh -D’ flag. We perform a dynamic port forward by routing the internal network traffic that’s accessible by the Windows 7 machine to our Kali Linux machine local port 7789.

Format of the command:

ssh -D <Kali Linux Local Port> <Windows 7 username>@<Windows 7 IP>

Dynamic port forwarding Windows 7 machine traffic to Kali Linux local port 7789

Now, we need to setup our proxychains configuration file. First we need to make sure the proxychains rules are ‘strict_chain’ as we want it to chain based on the proxy list orders we list below.

Then, at the ‘ProxyList’ part, we need to set it to ‘socks4<tab>127.0.0.1<tab>7789’ which tell the proxychains to route the traffics we want to access using the local port 7789 (the port we did dynamic port forwarded via SSH).

Now let’s try to gain access to the internal network web server that Metasploitable hosting using proxychains.

Proxychains command format:

proxychains firefox <Internal Web Server IP>

#This will default access to the port 80 of the Internal Web Server IP.

We can see that in the proxychains log, it will route the traffic that we want to browse with firefox to ‘127.0.0.1:7789’ first which is the part we did dynamic port forwarding with SSH.

Then, it will only connects to the internal network web server ‘192.168.112.130:80

Now we check back in our firefox interface & voila! we just gain access into the internal network web server with SSH dynamic port forwarding technique.

Returning Reverse Shell To Us via SSH Remote Port Forwarding Technique

Let’s say in the internal network web server, we manage to find a OS command execution vulnerability & we want to spawn a reverse shell and return it back to our Kali Linux machine. We can use the SSH remote port forwarding technique to return the Metasploitable web server reverse shell back to our Kali Linux machine.

Found an OS command execution vulnerability in internal network web server

First, we use the ‘ssh -R’ flag to route the Windows 7 internal network network interface IP & a specific port packets to our Kali Linux machine local IP & local port.

Format of SSH remote port forwarding:

ssh -R <Windows 7 Internal Network IP>:<Windows 7 Unused Port>:<Kali Linux Local IP>:<Kali Linux reverse shell listening port> <username>@<Windows 7 IP>

Performing remote port forwarding

Now we need to start our netcat listener with the local port that we used to route the traffic back to us via SSH remote port forwarding.

Now we go back to the internal network web server & spawn a reverse shell back to us. As for our netcat payload the IP & port part, we need to specified the IP & port of the Windows 7 machine exactly the same as when we perform the remote port forwarding.

This is how it looks like when we return the reverse shell back to our Kali Linux.

Network topology returning reverse shell back to our Kali Linux

Now let’s execute the netcat reverse shell command & return the reverse shell back to our Kali Linux machine.

Let’s check back our Kali Linux machine netcat listener & voila! We return the reverse shell back to us successfully.

Video Demonstration On Performing Network Pivoting

Cybersecurity
Penetration Testing
Pivoting
Reverse Shell
Oscp

--

--

Bryan Leong (NobodyAtall)
Bryan Leong (NobodyAtall)

Written by Bryan Leong (NobodyAtall)

23 Followers
4 Following

A Bachelor of Computer Science student that’s passion in CyberSec & Pentesting.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams